Practical Usage of Passive DNS Monitoring for E-Crime Investigations
|
|
- Roxanne Blair
- 8 years ago
- Views:
Transcription
1 Practical Usage of Passive DNS Monitoring for E-Crime Investigations Rod Rasmussen President & CTO, Internet Identity rod.rasmussen <isat> internetidentity.com
2 Topics Passive DNS overview Use Cases Challenges The future
3 Passive DNS Replication 2004 Florian Weimer at the University of Stuttgart Monitor DNS queries and responses near recursive servers Physical network location with visibility Filter down to just the DNS queries/responses Know what is being asked for and what the responses are being received back from authority servers Put it in a database Find out all kinds of interesting stuff!
4 Queryable PDNS Collections BFK (Florian s) SIE (ISC) DNSParse (Bojan) CERT-EE One Ring to Rule Them All? passive-dns-query-tool
5 Inside vs. Outside Where do we monitor from? PDNS Sensor Inside Outside Recursive Server Authoritative Server
6 Inside Monitoring Get all resolution attempts (minus stub caching) Good for watching for volume spikes Volume can be quickly overwhelming Know exact machine(s) making requests Can track down infections to the source Privacy concerns (ISPs)
7 Outside Monitoring See aggregate numbers of resolutions for the organization, ISP etc. Easier data management Lose volume information to caching Privacy and internal security concerns largely handled
8 SIE Model Source: ISC
9 Mapping Criminal Infrastructure Source: ISC
10 Tracking Down a Spam From: Claire Newell anarchdd@yeonil.net Subject: Fwd: Date: April 4, :44:06 PM PDT
11 Whois pillsgy.com??? Domain Name: PILLSGY.COM Registrar: IPNIC, INC. Whois Server: whois.myorderbox.com Referral URL: Name Server: NS1.DNSPLAC.COM Name Server: NS2.BEZZDNS.RU Status: clienttransferprohibited Updated Date: 03-apr-2011 Creation Date: 18-mar-2011 Expiration Date: 18-mar-2012 Registrant: Koshil Igor Igor Koneva str Koneva str Omsk Omsk, RU Tel Fax Creation Date: 18-Mar-2011 Expiration Date: 18-Mar-2012 Domain servers in listed order: ns1.dnsplac.com ns2.bezzdns.ru Administrative Contact: Koshil Igor Igor Koneva str Koneva str Omsk Omsk, RU Tel Fax
12 Oh Goodie V1agr4, eh.
13 Passive DNS Doesn t Look Bad IP search: Found 2 records Host/Domain Name First Seen IP ASN BGP Netblock pillsgy.com :43: /12 pillsgy.com :28: Nameserver search: Found 4 records Nameserver First Seen ns2.bezzdns.ru :43:27 ns1.dnskt.com :43:27 ns1.ezydomain.com :28:22 ns2.ezydomain.com :28:22
14 Let s Look at That IP inetnum: netname: NINBO-LANZHONG-LTD country: CN descr: Ninbo Lanzhong Network Ltd descr: admin-c: TD209-AP tech-c: CS64-AP status: ASSIGNED NON-PORTABLE changed: auto-dbm@dcb.hz.zj.cn mnt-by: MAINT-CN-CHINANET-ZJ-SX source: APNIC role: CHINANET-ZJ Shaoxing address: No.9 Sima Road,Shaoxing,Zhejiang country: CN phone: fax-no: anti-spam@mail.sxptt.zj.cn trouble: send spam reports to antispam@mail.sxptt.zj.cn trouble: and abuse reports to anti-spam@mail.sxptt.zj.cn admin-c: CH109-AP tech-c: CH109-AP nic-hdl: CS64-AP mnt-by: MAINT-CHINANET-ZJ changed: master@dcb.hz.zj.cn source: APNIC person: Taichun Du nic-hdl: TD209-AP anti-spam@mail.sxptt.zj.cn address: Shaoxing,Zhejiang.Postcode: phone: country: CN changed: auto-dbm@dcb.hz.zj.cn mnt-by: MAINT-CN-CHINANET-ZJ-SX source: APNIC
15 Jackpot! Your query returned 438,394 records. First Seen Host/Domain 3/23/2011 8:59 0.2k.medicsy.com 3/23/ :30 0.2l60.medicsy.com 3/23/ : medicdm.com 3/23/ : medicsy.com 4/4/ : topmedicb.ru 4/4/ : t.medicsy.com 3/21/2011 0:00 0.6fj0.medicsy.com 1/27/ :26 0.bsirr.doctorgco.ru 1/26/ :42 0.bsirr.sodoctorg.ru 1/27/2011 8:44 0.bsirr.sudoctorg.ru 3/23/2011 8:59 0.cf7ts7.topmedicb.ru 3/23/ :30 0.cf9.topmedicb.ru 3/23/ :19 0.ct.medicsy.com 3/23/ :42 0.cu60.medicsy.com 3/24/2011 2:52 0.d.medicsy.com First Seen Host/Domain 3/21/ :43 candmedic.ru 3/19/ :59 candoctor.ru 3/25/ :14 candx.wke.asterwase.net 2/25/ :58 cazht.medicinexi2.ru 3/29/ :12 cazkt.extralegallow.org 1/28/2011 3:43 cazuy.pharmacyrx38.com 3/26/2011 6:16 cb.r.10yearsextrces.net 3/23/2011 8:16 cb6kf.v.topmedicb.ru 3/23/2011 9:25 cb6n8.8a.medicsy.com 3/23/ :54 cb6s.gy.topmedicb.ru 3/23/ :35 cb6zy.5v2rt.medicsy.com 3/23/ :46 cb8.t.medicsy.com 3/24/2011 3:18 cba8g.st9al.topmedicb.ru 2/1/ :36 cbaaf.rxshopds9.com
16 How About a Nameserver? Found 26 records First Seen Domain 4/4/2011 1:51 bljxpills.ru 4/3/ :12 brjxpills.ru 4/4/ :51 caxrpills.com 4/3/ :09 chxrpills.com 4/3/ :33 dnsplac.com 4/3/ :45 doctorje.com 4/4/ :47 doctorod.com 4/3/ :20 doctorrg.com 4/3/ :25 doctorrl.com 4/3/ :41 fajxpills.ru 4/4/ :58 gejxpills.ru 4/4/2011 9:32 medicaqap.ru 4/4/2011 8:01 medicaqar.ru First Seen Domain 4/4/ :02 medicaqch.ru 4/4/ :14 medicaqci.ru 4/3/ :15 medicaqee.ru 4/3/ :18 medicaqen.ru 4/3/ :18 midiclxia.ru 4/3/ :38 midiclxic.ru 4/3/ :46 midiclxme.ru 4/3/ :15 midiclxnf.ru 4/3/ :51 midiclxto.ru 4/4/ :23 pillsin.com 4/3/ :26 pillsll.com 4/4/ :56 rafpills.com 4/3/ :19 stpills.com
17 Tracking Malware C&C s Once you know a C&C IP, you can start tracking down probable C&C and rendezvous domains Zeus is a great example typically controlled via a series of domains Let s take data from ZeusTracker and see if we can improve detection using PDNS
18 ZeusTracker
19 Zeus C&C IP Located in Romania ZeusTracker has 6 domains on it
20 Passive DNS Expands the Story 13 Records on 12 distinct domains double the action for blocking and remediation
21 Even more to find Checking one of the new domains for this IP, we find 2 new IPs from topupdates.ru Turns out several of the new domains just weren t seen on the first IP, but were spotted later. PDNS would greatly improve detection speed
22 Fast-Flux Detection PDNS an excellent way to find new FFLUX domains and hosts Set-up traps on new (or old) domains/hosts and watch for tell-tales Multiple IPs across ASNs Lots and lots of hostnames (wildcarding) Was particularly good for ROCK/Avalanche Not in vogue as much these days
23 FFLUX Example Suspected Avalanche Domain - platinumalbumm.com Detected via flux behavior 31/8/2010 Found 175 records First Seen IP ASN BGP Netblock :03: / :06: / :53: / :40: / :30: / :33: / :13: / :23: / :41: / :56: / :39: / :11: / :53: /14
24 Bullet Proof Hosting PDNS allows you to explore entire hosting locations to tie criminal activities together Search CIDR blocks and correlate data Can t kill a pharma shop or replica knock-offs? Go after them for phishing and malware hosting Better chance of de-peering with nastier stuff
25 Monitoring Your Infrastructure PDNS is a great tool for alerting you of unauthorized activities with your names and your IP space Take-over of infrastructure hacking/hijacking Compromises of machines for hosting malicious content or activities The latest marketing campaign you weren t told about Domain name expirations
26 Finding Bots on Your Network Map out IP infrastructure and set-up standard scans/ alerts based on new hostname mappings appearing Filter out known good domains/hosts Filter known anomalies DNS tunneling services SonicWall router responses Other bizarre chaff that shows up ISPs may want to filter Dynamic DNS services maybe not depending on hostname
27 Sample Network Scan Let s look at a large bank range ( /12) 1751 Records we ve seen in past 18 months Lots of standard junk 918 DNS Tunneling hosts b9d2183d19a87a6776d09df644df5dab898a.1.ziyouforever.com 830 SonicWall hosts c52e682d griddnsd.global.sonicwall.com
28 Three Records to Examine No bank hosts showing up good, it s a non-public network space! uluqwovl.info -> pnncfoxrtfz.ekuxejqw.com -> midvalleydental.net -> First one is just plain weird no ties to anything else and not operative Third is odd, until you look at this: Dig midvalleydental.net -> Dig ->
29 pnncfoxrtfz.ekuxejqw.com Whois looks bad Registrar: TODAYNIC.COM, INC. Creation Date: 05-mar-2011 Nameservers: N588.COZVEND.BIZ, N776.COZVEND.BIZ On some spam lists, not working now Rotated IPs
30 IPs Moving All Over Found 9 records First Seen IP ASN BGP Netblock :35: / :25: :35: :35: / :25: / :25: / :35: / :25: / :25:
31 Nameservers Look Suspicious Found 60 records First Seen Domain :48:27 adubapot.com :23:34 afohilim.com :23:08 afypisur.com :19:44 ahamifej.com :20:28 ajupymyx.com :22:27 amqzewit.com :21:54 apimywax.com :57:23 arohuhuv.com :22:44 atasyzel.com :49:14 avqfugqv.com :08:54 awyxufel.com :56:33 azyjyroc.com :55:39 ekqtagiw.com :50:51 ekuxejqw.com :46:49 elqvizyk.com :59:27 epofapeb.com First Seen Domain :59:48 itipytob.com :41:14 ixohoren.com :37:47 izetqmab.com :49:35 ocesytaw.com :36:02 ofyruwqb.com :29:55 ogqhejej.com :23:14 ogycovqb.com :26:55 omizodav.com :48:34 orynypoh.com :45:31 osodigaw.com :49:18 owapupih.com :59:04 oxaxesuz.com :09:20 qdopqcqh.com :47:49 qdulyjqd.com :49:01 qfatunam.com :38:07 qgucipyl.com
32 pnncfoxrtfz.ekuxejqw.com Google cache of this one oops!
33 pnncfoxrtfz.ekuxejqw.com Following that link sure not our bank!
34 Data Exfiltration Same techniques can be used to spot data exfiltration from your networks Google found Aurora via DNS logs, PDNS works from the outside or in conjunction with inside monitoring position without the overhead of DNS log parsing Night Dragon case well, not so much didn t see the hosts in the main passive feed (we got them from a separate source) Assumption is that they used the hacked company s own recursive servers for resolution to the data dump domains
35 RSA Breach Several reported domains/subdomains AGOOGLE.IN ALBERTSTEIN.DDNS.US ALVINTON.JETOS.COM BILLGATES.ITSAOL.COM BUFFET.BBSINDEX.COM BUFFET80.ITSAOL.COM DOMIKSTART.HOPTO.ORG FOOTBALL.DYNAMICLINK.DDNS.US FREE NET FTP.XMAHOME.OCRY.COM GOOD.MINCESUR.COM OBAMA.SERVEHTTP.COM PRC.DYNAMICLINK.DDNS.US SAFECHECK.ORGANICCRAP.COM SMTP.DYNAMICLINK.DDNS.US SUPERAROUND.NS02.BIZ UP82673.HOPTO.ORG
36 RSA Breach Prelim PDNS Info A few of those domains appear to be outliers Attacks may have lasted months Most IPs for activities were in China, a few in South Korea and India, and at least one in the US We found several unreported ftp hostnames that point straight to possible exfiltration of data ;; first seen: :46: ftp.alvinton.jetos.com. IN A CHINA ;; first seen: :51: ftp.alvinton.jetos.com. IN A CHINA
37 Detecting Domain Hijacking Set-up watches for changes to nameservers and/or IP addresses on critical hostnames under a domain. Can combine with active DNS monitoring of critical assets Changes to ASN s used by those hosts or to known or suspicious neighborhoods can be alerted for investigation Can use PDNS database to determine if the event is specific or widespread (e.g. registry hack, domain account take-overs)
38 Bangladesh gets p0wned Through active DNS monitoring, we spotted microsoft.com.bd being moved onto malicious looking nameservers and an odd IP address Sure enough domain name hijacking!
39 PDNS Tells the Bigger Story A lot more victims = Registry hack Looks like cross-site scripting attack against BD NIC Found 4 records Nameserver First Seen Host localh0st1.avjournal.com :51:15 google.com.bd localh0st1.avjournal.com :53:36 hsbc.com.bd localh0st1.avjournal.com :26:00 music.com.bd localh0st1.avjournal.com :28:19 aloashbei.com.bd Found 3 records! Host/Domain Name!First Seen!!IP!!!!ASN!!BGP Netblock!! hsbc.com.bd" " :38:46 " " "9221 " /24 "" hsbc.com.bd" " :32:31 " " "40244 " /19 "" hsbc.com.bd" " :49:08 " "9221 " /24 ""
40 Take-over of legit DNS Bad guys like to use DNS but know their own domains can get blocked/shut-down Great leverage if you can compromise the DNS of a real site Can t (or shouldn t) block/shut-down legit domain Site owner may be unaware of compromise Can do in conjunction with site or just the DNS
41 Domain DNS Take-over Vectors Control all aspects website/dns/ Registrar/hosting combo accounts Cpanel or other management tools Site server looks guilty as evil content present Control the DNS Registrar or DNS provider take-over P0wn the nameserver IPs for legit and illegitimate servers differ
42 Legit website
43 Hitchhiker Site bnkofamericasityk1eybknofamerica/bnkofamericasitykeybknofamerica/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin
44 PDNS tells a story Found 3 records in Passive DNS IP Address ASN BGP Netblock First Seen Host/Domain / :06:36 bankofamerica.com.sitekey.securepages.infoupdate.verifyinfo.townhouseflorida.com / :19:20 bankofamerica.com.townhouseflorida.com / :40:30 townhouseflorida.com Note that a wildcard DNS record for a domain can Be exploited similarly if you have compromised the site. Thanks Peter!
45 Disaster Scams Katrina, Indian Ocean Tsunami, Haiti, Japan Disaster Scams set-up to solicit funds Lots of real efforts too careful analysis needed PDNS a great tool for finding quickly and in any cctld or subdomains Generate lists for automated and human analysis
46 Japan Disaster Tracking Sample Set-up alerts for likely string combos Japan & Tsunami, Sendai & Earthquake, etc. Whitelists and automation to block known sites and find likely candidates Human Review of likely ones
47 donations-help.webs.com
48 Same Techniques for Brands Search for terms, typo variants Group results and drill in on potential offenders Set-up alerts on new hits for potential nastiness The following alerts for "google" were generated on at 23:35. Search terms: google ggoogle.de goodgoogle346.cn google-secrets.com googlematt.com Build cases based on large corpus of offender data
49 Need a Zone File? If it s being used, you can get it via PDNS I ve solved my cctld access problems! Subdomain resellers aren t a major issue any more Can use the info to understand hostname behavior and properly categorize hosting companies, DNS providers and the like Would have REALLY helped ICE when they shut-down mooo.com to have done this kind of analysis (besides just looking at their homepage)
50 Sample Zones.TK 1 million plus Mooo.com 35K records Just what is stuff like 0wrr6d267.mooo.com for anyway? ibm.com 947 records facebook.com - Just kidding! A bazillion records Not 100%, but pretty good coverage
51 Challenges/Pitfalls/Gotchas Not everything is perfect in PDNS land False-positives due to shared hosting People treating the DNS badly DNS Tunneling Facebook Akamai and CDN s Domain parking sites
52 The Future
53 More Sensors Needed Help!
54 Use of caching DNS for botnets 1) Victim PC is infected 2) Attacker registers a domain or subdomain 3) Attacker encodes malware binary in a set of CNAME RRs in the authoritative zone with long TTLs 4) Attacker queries for malware RR s using popular open recursive servers and those servers cache the responses 5) Attacker removes domain used from delegation 6) Malware on victim PC uses DNS queries to the same popular open resolvers to acquire code 7) Removal of authoritative doesn't mitigate threat because caches of CNAME RRs persist well beyond remediation Paper by Rodriguez and Hidalgo -
55 Automating Detection Two interesting proposals, Notos, EXPOSURE Notos Dynamic Reputation System for DNS Build reputation and use on new hosts EXPOSURE Feature Based System for PDNS Use training on features to tag new hosts
56 Notos
57 Notos
58 EXPOSURE
59 Questions?
60 Practical Usage of Passive DNS Monitoring for E-Crime Investigations Thanks! Rod Rasmussen President & CTO, Internet Identity rod.rasmussen <isat> internetidentity.com
DNS Abuse Handling. Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015
DNS Abuse Handling Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015 Acknowledgements Dave Piscitello Vice President, Security and ICT Coordination ICANN 2 2 Agenda 1 2 3 Brief Overview of DNS Defining
More informationWhy contribute passive DNS data to ISC?
Join The Global Passive DNS (pdns) Network Today & Gain Effective Tools To Fight Against Cyber Crime Why contribute passive DNS data to ISC? ISC - the Public Benefit Company that works to sustain the spirit
More informationUsing the DNS as a Hammer The Good, the Bad and the Ugly
Using the DNS as a Hammer The Good, the Bad and the Ugly SATIN March 22, 2012 March 22, 2012, SATIN Conference March 22, 2012, SATIN Conference Presenter: Rod Rasmussen Rod.RasmussenInternetIdenBty.com
More informationMeasures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN dave.piscitello@icann.org
Measures to Protect (University) Domain Registrations and DNS Against Attacks Dave Piscitello, ICANN dave.piscitello@icann.org Why are we talking about Domain names and DNS? Domain names and URLs define
More informationBasheer Al-Duwairi Jordan University of Science & Technology
Basheer Al-Duwairi Jordan University of Science & Technology Outline Examples of using network measurements /monitoring Example 1: fast flux detection Example 2: DDoS mitigation as a service Future trends
More informationWhose IP Is It Anyways: Tales of IP Reputation Failures
Whose IP Is It Anyways: Tales of IP Reputation Failures SESSION ID: SPO-T07 Michael Hamelin Lead X-Force Security Architect IBM Security Systems @HackerJoe What is reputation? 2 House banners tell a story
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationInternet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology
Internet Monitoring via DNS Traffic Analysis Wenke Lee Georgia Institute of Technology 0 Malware Networks (Botnets) 1 From General-Purpose to Targeted Attacks 11/14/12 2 Command and Control l Botnet design:
More informationTECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains
TECHNICAL REPORT An Analysis of Domain Silver, Inc..pl Domains July 31, 2013 CONTENTS Contents 1 Introduction 2 2 Registry, registrar and registrant 3 2.1 Rogue registrar..................................
More informationPreetham Mohan Pawar (1000919136)
Charles Lever, Manos Antonakakis, Brad Reaves, Patrick Traynor, Wenke Lee Presented By:- Preetham Mohan Pawar (1000919136) University of Texas, Arlington CSE Introduction. Basic concepts.( DNS ) Mobile
More informationQuality Over Quantity
Presented by Rod Rasmussen June 16, 2015 FIRST Conference, Berlin Quality Over Quantity CUTTING THROUGH CYBERTHREAT INTELLIGENCE NOISE Rod Rasmussen IID founder, CTO Co-chair Anti- Phishing Working Group
More informationDomain Name Abuse Detection. Liming Wang
Domain Name Abuse Detection Liming Wang Outline 1 Domain Name Abuse Work Overview 2 Anti-phishing Research Work 3 Chinese Domain Similarity Detection 4 Other Abuse detection ti 5 System Information 2 Why?
More informationWE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA
WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA Email {wei.xu, ksanders, yzhang}@ paloaltonetworks.com ABSTRACT Malicious domains
More informationAdvanced Security Methods for efraud and Messaging
Advanced Security Methods for efraud and Messaging Company Overview Offices: New York, Singapore, London, Tokyo & Sydney Specialization: Leader in the Messaging Intelligence space Market focus: Enterprise,
More informationRIPE Database User Manual: Getting Started
RIPE Database User Manual: Getting Started ***IMPORTANT*** Please note that this document is obsolete. A new version will be prepared following a project to restructure the RIPE Database documentation.
More informationThreatSTOP Technology Overview
ThreatSTOP Technology Overview The Five Parts to ThreatSTOP s Service We provide 5 integral services to protect your network and stop botnets from calling home ThreatSTOP s 5 Parts: 1 Multiple threat feeds
More informationInternet Special Ops Stalking Badness Through Data Mining. Paul Vixie Andrew Fried Dr. Chris Lee
Paul Vixie Andrew Fried Dr. Chris Lee Grandma has a problem An email or web banner offered her a free demo of the game Bejeweled 3D She clicked yes to download a program. New unrecognized malware? Anti-virus
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationDomain Hygiene as a Predictor of Badness
Domain Hygiene as a Predictor of Badness Tim Helming Director, Product Management DomainTools Your Presenter Director of Product Management (aka the roadmap guy ) Over 13 years in cybersecurity Passionate
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationWHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware
WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available
More informationDetecting BGP hijacks in 2014
Detecting BGP hijacks in 2014 Guillaume Valadon & Nicolas Vivet Agence nationale de la sécurité des systèmes d information http://www.ssi.gouv.fr/en NSC - November 21th, 2014 ANSSI - Detecting BGP hijacks
More informationWe Know It Before You Do: Predicting Malicious Domains
We Know It Before You Do: Predicting Malicious Domains Abstract Malicious domains play an important role in many attack schemes. From distributing malware to hosting command and control (C&C) servers and
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationINinbox Start-up Pack
2 INspired Email Marketing This is what you should know about sending emails through INinbox and how to get started! Thanks for joining INinbox. choice. You ve made a great In front of you, you find the
More information5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)
5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know
More informationARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table
ARP and DNS Both protocols do conversions of a sort, but the distinct difference is ARP is needed for packet transfers and DNS is not needed but makes things much easier. ARP Address Resolution Protocol
More informationAttack Intelligence Research Center Monthly Threat Report MalWeb Continues to Make Waves on Legitimate Sites
Attack Intelligence Research Center Monthly Threat Report MalWeb Continues to Make Waves on Legitimate Sites A l a d d i n. c o m / e S a f e Following up on some recent attacks, the AIRC team wanted to
More informationThe curse of the Open Recursor. Tom Paseka Network Engineer tom@cloudflare.com
The curse of the Open Recursor Tom Paseka Network Engineer tom@cloudflare.com Recursors Why? Exist to aggregate and cache queries Not every computer run its own recursive resolver. ISPs, Large Enterprises
More informationWe Recommend: Click here to increase PC Speed! URL Decode Lookup. Express. DNS Records (Advanced Tool) URL Encode Trace.
Manage Microsoft Windows - Streamline Wind and Management. Free 30-day Trial www.systemtools. 212.21.112.177 has not accessed this page recently We Recommend: Click here to increase PC Speed! Ping Express
More informationEVILSEED: A Guided Approach to Finding Malicious Web Pages
+ EVILSEED: A Guided Approach to Finding Malicious Web Pages Presented by: Alaa Hassan Supervised by: Dr. Tom Chothia + Outline Introduction Introducing EVILSEED. EVILSEED Architecture. Effectiveness of
More information1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security
1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security Agenda Increasing DNS availability using DNS Anycast Opening the internal DNS Enhancing DNS security DNS traffic
More informationBotnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic
The Leader in Cloud Security RESEARCH REPORT Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic ABSTRACT Zscaler is a cloud-computing,
More informationHow To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address
DNS Amplification Are YOU Part of the Problem? (RIPE66 Dublin, Ireland - May 13, 2013) Merike Kaeo Security Evangelist, Internet Identity merike@internetidentity.com INTRO Statistics on DNS Amplification
More informationThreat Spotlight: Angler Lurking in the Domain Shadows
White Paper Threat Spotlight: Angler Lurking in the Domain Shadows Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant
More informationMalware & Botnets. Botnets
- 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online
More informationLooking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015
WHITEPAPER Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015 Malcolm Orekoya Network & Security Specialist 30 th January 2015 Table of Contents Introduction... 2 Identity Defines
More informationEITC Lessons Learned: Building Our Internal Security Intelligence Capability
EITC Lessons Learned: Building Our Internal Security Intelligence Capability SESSION ID: SEC-W08 Tamer El Refaey Senior Director, Security Monitoring and Operations Emirates Integrated Telecommunications
More informationAdvisory on Utilization of Whois Data For Phishing Site Take Down March 2008
Contributors Rod Rasmussen, Internet Identity Patrick Cain, Anti-Phishing Working Group Laura Mather, Anti-Phishing Working Group Ihab Shraim, MarkMonitor Summary Given fundamental policy changes regarding
More informationCYBERSECURITY INESTIGATION AND ANALYSIS
CYBERSECURITY INESTIGATION AND ANALYSIS The New Crime of the Digital Age The Internet is not just the hotspot of all things digital and technical. Because of the conveniences of the Internet and its accessibility,
More informationSecurity Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC
Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC Background and Overview The Computer Security Incidents Internet2 (CSI2) working group organizes activities to better identify
More informationSPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015
SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015 The Usual Players Indebtedness for driving on toll road Transaction receipts Notice to appear Major and Emerging Trends
More informationSES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012
SES / CIF Internet2 Combined Industry and Research Constituency Meeting April 24, 2012 Doug Pearson Technical Director, REN-ISAC dodpears@ren-isac.net Background on REN-ISAC The REN-ISAC mission is to
More informationSecurity Awareness for Social Media in Business. Scott Wright
Security Awareness for Social Media in Business Scott Wright Security Perspectives Inc COUNTERMEASURE 2012 10/29/2012 Copyright 2012. Security Perspectives Inc. 1 10/29/2012 Copyright 2012. Security Perspectives
More informationReadySpace Limited Unit J, 16/F Reason Group Tower, 403-413 Castle PeakRoad, Kwai Chung, N.T.
Reputation and Blacklist Monitoring Basic Professional Business Enterprise Reputation Monitoring Blacklist Monitoring Standard Malware Detection Scan for known Malware Scan for known viruses All pages
More informationWebsense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Express Websense Hosted Web Security
Web Security Gateway Web Security Web Filter Express Hosted Web Security Web Security Solutions The Approach In the past, most Web content was static and predictable. But today s reality is that Web content
More informationUsing Email Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education
White Paper Using Email Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education Online criminals are constantly looking for new ways to reach their targets
More informationDYNAMIC DNS: DATA EXFILTRATION
DYNAMIC DNS: DATA EXFILTRATION RSA Visibility Reconnaissance Weaponization Delivery Exploitation Installation C2 Action WHAT IS DATA EXFILTRATION? One of the most common goals of malicious actors is to
More informationFirst version of the document.
First version of the document. 2.1 Access to web forms... 6 2.2 Menu... 7 2.3 Dashboard... 8 2.4 Domain names... 9 2.4.1 Create domain name... 9 2.4.2 Query domain name details...11 2.4.3 Registrar domain
More informationUsing Network Forensics to Visualize Advanced Persistent Threats
Using Network Forensics to Visualize Advanced Persistent Threats Dale Long, Sr. Technology Consultant, RSA Security 1 The Problem 2 Traditional Security Is Not Working 99% of breaches led to compromise
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationSoftware that provides secure access to technology, everywhere.
Software that provides secure access to technology, everywhere. Joseph Patrick Schorr @JoeSchorr October, 2015 2015 BOMGAR CORPORATION ALL RIGHTS RESERVED WORLDWIDE 1 Agenda What are we dealing with? How
More informationPassive Monitoring of DNS Anomalies
Passive Monitoring of DNS Anomalies Bojan Zdrnja 1, Nevil Brownlee 1, and Duane Wessels 2 1 University of Auckland, New Zealand, {b.zdrnja,nevil}@auckland.ac.nz 2 The Measurement Factory, Inc., wessels@packet-pushers.com
More informationHow Lastline Has Better Breach Detection Capabilities. By David Strom December 2014 david@strom.com
How Lastline Has Better Breach Detection Capabilities By David Strom December 2014 david@strom.com The Internet is a nasty place, and getting nastier. Current breach detection products using traditional
More informationEnriching Network Threat Data with Open Source Tools to Improve Monitoring
Enriching Network Threat Data with Open Source Tools to Improve Monitoring SECURE 2012 XVI Conference on Telecommunications and IT Security 22-24 October 2012 Knowledge is power Thomas Hobbes, 1658 Agenda
More informationHow to set up the Integrated DNS Server for Inbound Load Balancing
How to set up the Integrated DNS Server for Introduction Getting Started Peplink Balance has a built-in DNS server for inbound link load balancing. You can delegate a domain s NS/SOA records, e.g. www.mycompany.com,
More informationDNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS
DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS December 2011 November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat
More informationPEQ-DNS A Platform for DNS Quality Monitoring
PEQ-DNS A Platform for DNS Quality Monitoring DNS Monitoring Challenges [1/2] The DNS is a complex distributed system that requires a distributed (per DNS server) monitoring system Monitoring usually focuses
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate
More informationAnalytics, Big Data, & Threat Intelligence: How Security is Transforming
Analytics, Big Data, & Threat Intelligence: How Security is Transforming Jason Sloderbeck Director, Product Management RSA Web Threat Detection 1 Presentation Overview The Largest Threat How Can Big Data
More informationAdvanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series
Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 2 Executive Summary Promotion
More informationState of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved
State of the Web 2015: Vulnerability Report March 2015 Motivation In February 2015, security researchers http://www.isightpartners.com/2015/02/codoso/ reported that Forbes.com had been hacked. The duration
More informationReduce Your Network's Attack Surface
WHITE PAPER Reduce Your Network's Attack Surface Ixia's ThreatARMOR Frees Up Security Resources and Personnel The Threat Landscape When you re dealing with network security, one of the primary measurements
More informationDNS Firewalls with BIND: ISC RPZ and the IID Approach. Tuesday, 26 June 2012
DNS Firewalls with BIND: ISC RPZ and the IID Approach Tuesday, 26 June 2012 1 About the Presenters»»» Paul Vixie Chairman and Founder Internet Systems Consortium Rod Rasmussen President and CTO IID (Internet
More informationFAQ (Frequently Asked Questions)
FAQ (Frequently Asked Questions) Specific Questions about Afilias Managed DNS What is the Afilias DNS network? How long has Afilias been working within the DNS market? What are the names of the Afilias
More informationJPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015]
JPCERT-IA-2015-02 Issued: 2015-04-27 JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015] 1 Overview JPCERT/CC has placed multiple sensors across the Internet for monitoring to
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox Secure DNS Solution mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate queries.
More informationFast Flux Hosting and DNS ICANN SSAC
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal Avoid detection and take down of web sites used for illegal purposes Technique Host illegal content at many sites
More informationUnified Security Management and Open Threat Exchange
13/09/2014 Unified Security Management and Open Threat Exchange RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014 Agenda! A quick intro to AlienVault Unified Security Management (USM)! Overview of the
More informationHow to Stop Spam Emails and Bounces
Managing Your Email Reputation For most companies and organizations, email is the most important means of business communication. The value of email today, however, has been compromised by the rampant
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS/DHCP servers by intelligently recognizing various attack types and dropping attack traffic while responding only to
More informationAttribution: The Holy Grail or Waste of Time? Billy Leonard Google Should this be the end, our Holy Grail? How s that picture going to help you now? But, the pictures make me safer! We can do better. Our
More informationDNS Traffic Monitoring. Dave Piscitello VP Security and ICT Coordina;on, ICANN
DNS Traffic Monitoring Dave Piscitello VP Security and ICT Coordina;on, ICANN Domain Names ICANN coordinates the administra2on of global iden2fier systems Domain names provide user friendly identification
More informationEndpoint Threat Detection without the Pain
WHITEPAPER Endpoint Threat Detection without the Pain Contents Motivated Adversaries, Too Many Alerts, Not Enough Actionable Information: Incident Response is Getting Harder... 1 A New Solution, with a
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationThe Use of DNS Resource Records
International Journal of Advances in Electrical and Electronics Engineering 230 Available online at www.ijaeee.com & www.sestindia.org/volume-ijaeee/ ISSN: 2319-1112 Simar Preet Singh Systems Engineer,
More informationWebsense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security
Web Security Gateway Web Security Web Filter Hosted Web Security Web Security Solutions The Approach In the past, most Web content was static and predictable. But today s reality is that Web content even
More informationCurrent Counter-measures and Responses by the Domain Name System Community
Current Counter-measures and Responses by the Domain Name System Community Paul Twomey President and CEO 22 April 2007 APEC-OECD Malware Workshop Manila, The Philippines 1 What I want to do today in 15
More informationRSA Security Anatomy of an Attack Lessons learned
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
More informationAPNIC WEIRDS Roadmap
APNIC WEIRDS Roadmap What is WEIRDS? RDAP (Registry Data Access Protocol) Alternative to Whois Potentially a replacement A change of data format: JSON instead of Routing Policy Specification Language (RPSL)
More informationWHEN THE HUNTER BECOMES THE HUNTED HUNTING DOWN BOTNETS USING NETWORK TRAFFIC ANALYSIS
WHEN THE HUNTER BECOMES THE HUNTED HUNTING DOWN BOTNETS USING NETWORK TRAFFIC ANALYSIS /ABOUT/ME Thomas Chopitea - Incident handler @CertSG Digital forensics & incident response (#DFIR), malware analysis,
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationKnow Your Foe. Threat Infrastructure Analysis Pitfalls
Know Your Foe Threat Infrastructure Analysis Pitfalls Who Are We? Founders of PassiveTotal Analysts/researchers with 10+ years of collective experience Interested in Better UX/UI for security systems Improving/re-thinking
More informationAkamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013
Akamai CDN, IPv6 and DNS security Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013 Agenda Akamai Introduction Who s Akamai? Intelligent Platform & Traffic Snapshot Basic Technology Akamai
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationWEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationSecurity Monitoring of DNS traffic
Security Monitoring of DNS traffic Bojan Zdrnja CompSci 780, University of Auckland, May 2006. b.zdrnja@auckland.ac.nz Abstract The Domain Name System (DNS) is a critical part of the Internet. This paper
More informationExploring the Black Hole Exploit Kit
Exploring the Black Hole Exploit Kit Updated December 20, 2011 Internet Identity Threat Intelligence Department http://www.internetidentity.com http://www.internetidentity.com 12/29/11 Page 1/20 Summary
More informationDistributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 09. Naming Paul Krzyzanowski Rutgers University Fall 2015 October 7, 2015 2014-2015 Paul Krzyzanowski 1 Naming things Naming: map names to objects Helps with using, sharing, and communicating
More informationCITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS
CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS May 2012 As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 1.3.4.0 already in the hands of its customers. Citadel s features, bug
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationSecurity from the Cloud
Security from the Cloud Remote Vulnerability Scanning Writer: Peter Technical Review: David Contact: info@hackertarget.com Published: April 2008 Summary: This white paper describes advantages of using
More informationREPUTATION-BASED MAIL FLOW CONTROL
WHITE PAPER REPUTATION-BASED MAIL FLOW CONTROL Blocking Extreme Spam and Reducing False Positives Blocking unsolicited commercial email or spam is an increasingly important but difficult task for IT staff.
More informationDeciphering and Mitigating Blackhole Spam from Email-borne Threats
Deciphering and Mitigating Blackhole Spam from Email-borne Threats Samir Patil Symantec Deciphering and Mitigating Blackhole Spam from Email-borne Threats 1 Outline 1 Background 2 Detection Challenges
More informationRepsheet. A Behavior Based Approach to Web Application Security. Aaron Bedra Application Security Lead Braintree Payments. tirsdag den 1.
Repsheet A Behavior Based Approach to Web Application Security Aaron Bedra Application Security Lead Braintree Payments Right now, your web applications are being attacked And it will happen again, and
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationCYBERCRIMINAL IN BRAZIL SHARES MOBILE CREDIT CARD STORE APP
CYBERCRIMINAL IN BRAZIL SHARES MOBILE CREDIT CARD STORE APP August 2014 RSA agents recently traced a threat actor advertising a mobile credit card store application. The cybercriminal shared the information
More informationIndicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis
Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011 Background As the number
More information